Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
196s -
max time network
203s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250218-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250218-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
12/03/2025, 16:18
Static task
static1
Behavioral task
behavioral1
Sample
Lancaster.zip
Resource
win10ltsc2021-20250218-en
Behavioral task
behavioral2
Sample
Lancaster.zip
Resource
win11-20250217-en
General
-
Target
Lancaster.zip
-
Size
7.5MB
-
MD5
aa29ff8dcbfb8156eba033e28f03a04f
-
SHA1
1453014278c8891fce9685c0a6bd4d079a763c24
-
SHA256
1a34c9b4500cf7859c36c102209902202fb7188aca1ba759f2d5018bf2655cc1
-
SHA512
14a8efc38a3dd0215b5b9587c80740681e0464f075ee777389e9458411590cf3cdd3eb0a7ef328effea5ae0ddc6e6af20266ed88717743cd46b364e0736c3eef
-
SSDEEP
196608:GHSvJ6cIKoyGu1Rox8S3E06jJ/lSeZ/zr1mzScXNwG6qyOmcwzr+o:GHSAzTZu1RoxhL6hhpzQS4Sbqxm1N
Malware Config
Signatures
-
SectopRAT payload 1 IoCs
resource yara_rule behavioral1/memory/3896-16-0x0000000000770000-0x0000000000844000-memory.dmp family_sectoprat -
Sectoprat family
-
Uses browser remote debugging 2 TTPs 9 IoCs
Can be used control the browser and steal sensitive information such as credentials and session cookies.
pid Process 2688 chrome.exe 4292 chrome.exe 4004 chrome.exe 2412 msedge.exe 2300 msedge.exe 3088 chrome.exe 3936 chrome.exe 1112 msedge.exe 1940 msedge.exe -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 3496 set thread context of 4540 3496 zkwindow.exe 97 PID 4540 set thread context of 3896 4540 cmd.exe 100 -
Drops file in Windows directory 1 IoCs
description ioc Process File opened for modification C:\Windows\SystemTemp chrome.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language zkwindow.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSBuild.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString msedge.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz msedge.exe -
Enumerates system info in registry 2 TTPs 8 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 3496 zkwindow.exe 3496 zkwindow.exe 4540 cmd.exe 4540 cmd.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 2688 chrome.exe 2688 chrome.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 5068 msedge.exe 3768 msedge.exe 3768 msedge.exe 2412 msedge.exe 2412 msedge.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe 3896 MSBuild.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 3496 zkwindow.exe 4540 cmd.exe 4540 cmd.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3896 MSBuild.exe Token: SeShutdownPrivilege 2688 chrome.exe Token: SeCreatePagefilePrivilege 2688 chrome.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
pid Process 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2688 chrome.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe 2412 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3896 MSBuild.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3496 wrote to memory of 4540 3496 zkwindow.exe 97 PID 3496 wrote to memory of 4540 3496 zkwindow.exe 97 PID 3496 wrote to memory of 4540 3496 zkwindow.exe 97 PID 3496 wrote to memory of 4540 3496 zkwindow.exe 97 PID 4540 wrote to memory of 3896 4540 cmd.exe 100 PID 4540 wrote to memory of 3896 4540 cmd.exe 100 PID 4540 wrote to memory of 3896 4540 cmd.exe 100 PID 4540 wrote to memory of 3896 4540 cmd.exe 100 PID 4540 wrote to memory of 3896 4540 cmd.exe 100 PID 3896 wrote to memory of 2688 3896 MSBuild.exe 102 PID 3896 wrote to memory of 2688 3896 MSBuild.exe 102 PID 2688 wrote to memory of 1572 2688 chrome.exe 103 PID 2688 wrote to memory of 1572 2688 chrome.exe 103 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 792 2688 chrome.exe 104 PID 2688 wrote to memory of 1480 2688 chrome.exe 105 PID 2688 wrote to memory of 1480 2688 chrome.exe 105 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106 PID 2688 wrote to memory of 3396 2688 chrome.exe 106
Processes
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Lancaster.zip1⤵PID:4532
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3604
-
C:\Users\Admin\Documents\Lancaster\version_21\zkwindow.exe"C:\Users\Admin\Documents\Lancaster\version_21\zkwindow.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4540 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=8322 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2688 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff9aadccc40,0x7ff9aadccc4c,0x7ff9aadccc585⤵PID:1572
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2100,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2088 /prefetch:25⤵PID:792
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1944,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2084 /prefetch:35⤵PID:1480
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2332,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=2228 /prefetch:85⤵PID:3396
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3224,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3252 /prefetch:15⤵
- Uses browser remote debugging
PID:3088
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3260,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=3424 /prefetch:15⤵
- Uses browser remote debugging
PID:4292
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4536,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4560 /prefetch:25⤵
- Uses browser remote debugging
PID:3936
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --remote-debugging-port=8322 --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4308,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4528 /prefetch:15⤵
- Uses browser remote debugging
PID:4004
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4756,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=4216 /prefetch:85⤵PID:2800
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5020,i,11312645924628805647,17357684495030842505,262144 --variations-seed-version=20250217-180411.635000 --mojo-platform-channel-handle=5056 /prefetch:85⤵PID:1484
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=8105 --profile-directory="Default"4⤵
- Uses browser remote debugging
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
PID:2412 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x144,0x148,0x14c,0x120,0x150,0x7ff9a5f346f8,0x7ff9a5f34708,0x7ff9a5f347185⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
PID:5068
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:25⤵PID:4908
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:85⤵PID:1732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:15⤵
- Uses browser remote debugging
PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:15⤵
- Uses browser remote debugging
PID:1112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --remote-debugging-port=8105 --field-trial-handle=2188,11004368001318937933,14616611192236436,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4360 /prefetch:15⤵
- Uses browser remote debugging
PID:2300
-
-
-
-
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵PID:4908
Network
MITRE ATT&CK Enterprise v15
Credential Access
Modify Authentication Process
1Steal Web Session Cookie
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
Filesize
16KB
MD5470eb63cd3bb53bd0d8fa7b755ec63b3
SHA19990a6ff861d1fd97f9825e5245ef6f2b8e11b67
SHA25628133b691344d14e0c90a3150019d820202047f81cd5824c264590d774fb4968
SHA512bce5ba8fc484a4227436bbbcfe648846db3846a0befc1a708febf7911ccb02ea9af0cb6520c9a31370836baf2874506fdfb676e812e811f2cfa8d016f9e1ad81
-
Filesize
152B
MD5c787930d470d0be053d565378051623e
SHA128e41641d6c01ee6eac6d8da2b1bbcdf846bbaf0
SHA256a80de15c02d30a203b3ed152d11995318fe79a4eb99fa6de1f5600ad6623248f
SHA5129736fc38006a0e8bf29a1c87c251afa1d47dfbadefbc16e844c15d626dc7d0aad622e3bd0925f3abe745a312914a3e9db2026439cbbd2a752589d1f3499aeb7e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\78b6a9b6-aa1e-4158-8639-c3ee30d7f2f9.tmp
Filesize25KB
MD50cd39cdccc8f3b3939648da828389f22
SHA1ff3211bd0be85614f15c3a0ad377018d56ede494
SHA256efdce0e430392d46ab498257a982b91e835616d0f8bfcac0616b422706f6c915
SHA512d717fb61e5eb0702772b7379a405461f6716f68e12e31127a6d54482c6f545951424a06c6d54fda79685fa4144a692c7deb63795d775efd5a9f571b986685339
-
Filesize
5KB
MD557eb58a1673036c458fd0e8a3cc0aeb5
SHA1a38804b1cbd46df440fc8ab2acade50cbfc9d252
SHA25612a74bc4e5f2d660645a6495f3b19e708aa3798cc08ff4bad6d712f37d655195
SHA512825f858e933f14ff67e6a804a7eff08f490fbbeb9a6ad369f66a90adec268ba6070d57e5702afcd29d1b8dfd56a679e719ae878ca866e2dc758b57d6a7f9b749
-
Filesize
25KB
MD57636724d8b2102f0a75a6097a61064d9
SHA18cc7f171c59533c3cff01c2caa16f34923f0f008
SHA256851e05cafd8d54dcace48ee02d74ceda02042a053b3befaf2f8c9f466d28c5aa
SHA5123b339bc4dc52f576207265341a415e5dfa9f770b1b5e4e105b10a8c69e05505e3e4e2d56468c5ca682ea2723e8b1866a1a78595149ee59b219bd620b9509175b
-
Filesize
1.5MB
MD544bc12e104f0c7ff320947dd3afd631d
SHA1de0bb513c6ff111dac8058abe30cc67e9add93c9
SHA2563437ccd518af59f2181e1b9ce445521314f6fbe1094ac38b62a49cc1b04729c9
SHA51240d7f52a2780d7e7f86b3fd9eab32d30d1cad192ceb1f268b11056a244e1d6958b7c13ac282839dbb566b1cb5e7d6631cb3d9d778b9703627d6c1f550bf6757f
-
Filesize
596B
MD5aa0e77ec6b92f58452bb5577b9980e6f
SHA1237872f2b0c90e8cbe61eaa0e2919d6578cacd3f
SHA256aad1c9be17f64d7700feb2d38df7dc7446a48bf001ae42095b59b11fd24dfcde
SHA51237366bd1e0a59036fe966f2e2fe3a0f7dce6f11f2ed5bf7724afb61ea5e8d3e01bdc514f0deb3beb6febfd8b4d08d45e4e729c23cc8f4cae4f6d11f18fc39fa6
-
Filesize
1KB
MD5b99e276fef10819d079bc384a542e551
SHA1aa944e07cc4067c74ab3463eee6ef6ea2404cc5e
SHA2566851b8fe5bc61870c4097702858853f4a25332e4b813dfc9932ee0ca7d77f691
SHA51222db1c84cc67ea221d298a14508c9f36265e6ac2c14fd29d30df3c43fbfb6ba80c9c587bd3a00e6662069096bc03bf6077186162a4a010d9f64d76aa1ea96e11
-
Filesize
5KB
MD52c905a6e4a21a3fa14adc1d99b7cbc03
SHA1bd8682b580d951e3df05dfd467abba6b87bb43d9
SHA256cc3631ced23f21ae095c1397770e685f12f6ad788c8fa2f15487835a77a380fb
SHA512753e28bab9d50b7882a1308f6072f80fda99edeaa476fafc7e647d29f5c9c15f5c404689c866f8f198b7f1ed41bae3cc55ae4d15528b0df966a47cbc4b31caf6
-
Filesize
93KB
MD53c9137d88a00b1ae0b41ff6a70571615
SHA11797d73e9da4287351f6fbec1b183c19be217c2a
SHA25624262baafef17092927c3dafe764aaa52a2a371b83ed2249cca7e414df99fac1
SHA51231730738e73937ee0086849cb3d6506ea383ca2eac312b8d08e25c60563df5702fc2b92b3778c4b2b66e7fddd6965d74b5a4df5132df3f02faed01dcf3c7bcae
-
Filesize
569B
MD52835dd0a0aef8405d47ab7f73d82eaa5
SHA1851ea2b4f89fc06f6a4cd458840dd5c660a3b76c
SHA2562aafd1356d876255a99905fbcafb516de31952e079923b9ddf33560bbe5ed2f3
SHA512490327e218b0c01239ac419e02a4dc2bd121a08cb7734f8e2ba22e869b60175d599104ba4b45ef580e84e312fe241b3d565fac958b874d6256473c2f987108cc